Business Continuity Flashcards
Which Cyber Kill Chain step relates to tricking users into installing malware on their devices?
A. Delivery
B. Weaponization
C. Reconnaissance
D. Installation
A. Delivery
In the Delivery phase of the Cyber Kill Chain, the attacker delivers the malicious payload to the target system. This is the step where users are tricked into interacting with or installing the malware. Common methods of delivery include phishing emails, malicious attachments, compromised websites, or infected software downloads.
Here’s a breakdown of the Cyber Kill Chain steps:
1. Reconnaissance: The attacker gathers information about the target.
2. Weaponization: The attacker develops the malware or exploit.
3. Delivery: The attacker delivers the malware to the target.
4. Exploitation: The attacker exploits a vulnerability to gain access.
5. Installation: The malware is installed on the target system.
6. Command and Control: The attacker establishes communication with the infected system.
7. Actions on Objectives: The attacker carries out their malicious actions.
Which business continuity metric relates to the maximum tolerable amount of down time?
A. RTO
B. SLA
C. RPO
D. MTTR
A. RTO (Recovery Time Objective)
RTO refers to the maximum tolerable downtime for a business process or system before it significantly impacts the organization. It is the target time set to restore a service or system after an outage. Essentially, RTO defines how long a business can tolerate a disruption before the consequences become unacceptable.
After eradicating threats using the IRP, which step is done next?
A. Verify that the threat has been eradicated
B. Update the IRP
C. Generate an incident summary report
D. Patch vulnerable systems
A. Verify that the threat has been eradicated
After eradicating the threat using the Incident Response Plan (IRP), the next logical step is to verify that the threat has been fully removed. This ensures that no remnants of the attack remain that could potentially lead to further issues or compromises.
Here’s a breakdown of the steps:
A. Verify that the threat has been eradicated: It’s crucial to ensure that all traces of the threat, including malware, unauthorized access, or compromised accounts, have been completely removed before moving to the next phase.
B. Update the IRP: While it’s important to review and update the IRP periodically, this comes after the verification of eradication, not immediately afterward.
C. Generate an incident summary report: The incident summary report is typically generated once the threat has been eradicated and verified, often during the post-incident phase.
D. Patch vulnerable systems: Patching systems may be necessary, but this step usually occurs before or alongside the eradication phase to prevent reinfection or further exploits.
So, the immediate next step after eradicating the threat is verifying that it has been fully eradicated.
What is the primary purpose of incident containment?
A. Report generation
B. Prevent spread
C. Patching
D. Eradication
B. Prevent spread
The primary purpose of incident containment is to prevent the spread of the incident, whether it’s malware, unauthorized access, or any other type of cyber-attack. Containment involves isolating the affected systems or networks to stop the threat from spreading to other parts of the organization or affecting additional systems.
Which business continuity metric relates to the maximum tolerable amount of data loss?
A. RTO
B. SLA
C. MTTR
D. RPO
D. RPO.
RPO stands for Recovery Point Objective, which is the maximum amount of data loss that an organization is willing to tolerate in the event of a disaster. It defines the point in time to which data must be restored after an outage, determining how much data can be lost during the recovery process. The lower the RPO, the less data loss is acceptable
Which type of DNS record query is rare and could indicated command and control traffic?
A. AAAA
B. TXT
C. A
D. CNAME
B. TXT.
TXT (Text) records in DNS are typically used to store arbitrary text data, such as domain verification information, or SPF (Sender Policy Framework) records for email security. While they’re not rare in general use, they can be used in unusual ways, including in command and control (C2) communications for malicious activities. Attackers can encode commands or data within TXT records to bypass traditional security measures, making this type of query rare and suspicious in the context of cybersecurity.
What do incident response plans that strive to return disrupted systems to a functional state quickly adhere to?
A. GDPR
B. RTO
C. SLA
D. RPO
B. RTO.
RTO (Recovery Time Objective) refers to the maximum acceptable amount of time that a system or service can be down before it is restored to normal operation. Incident response plans that aim to return disrupted systems to a functional state quickly are focused on minimizing downtime and adhering to a defined RTO. The goal is to restore critical systems and services as quickly as possible to ensure business continuity.
Which pillar of the Diamond Model of Intrusion Analysis focuses on communication channels?
A. Adversary
B. Capability
C. Victim
D. Infrastructure
D. Infrastructure.
In the Diamond Model of Intrusion Analysis, the Infrastructure pillar focuses on the communication channels used by adversaries to interact with their targets. This includes the networks, servers, or systems that facilitate the communication between the attacker and the victim. These communication channels could involve various technologies such as Command and Control (C2) servers, web servers, or even encrypted tunnels used by the adversary to maintain their operations.
After eradicating and verifying a malware outbreak on the network, you perform a post-incident analysis to determine how quickly the IRP was applied. Which metric should you analyse?
A. Disk write bytes
B. Recovery time objective
C. Mean time to respond
D. Disk read bytes
C. Mean time to respond.
Mean Time to Respond (MTTR) measures the average time it takes for the incident response team to detect, analyze, and respond to a security incident. After eradicating and verifying a malware outbreak, analyzing MTTR helps you understand how quickly the Incident Response Plan (IRP) was applied and how long it took to address the incident from detection to resolution.
You are updating the incident response plan (IRP) for an automated assembly line process. Which IRP component will facilitate speedy escalations when needed?
A. Communication plan
B. Revision history
C. Definition of terms
D. Eradication procedures
A. Communication plan.
A Communication plan is a critical component of an Incident Response Plan (IRP) that facilitates speedy escalations when needed. It outlines how information will be communicated during an incident, including the escalation process, who needs to be notified, and the channels to be used for fast and clear communication. This ensures that key stakeholders are promptly informed, and necessary actions can be taken quickly, reducing the time it takes to escalate and resolve an incident.
